Skip to main content
Informationssicherheit / NIS2

DORA (Digital Operational Resilience Act)

EU Regulation 2022/2554 establishing ICT risk management, incident reporting, and resilience testing requirements for the financial sector.

DORA (Digital Operational Resilience Act) is EU Regulation 2022/2554, which applies directly — without requiring national transposition — across all EU member states. It came into full effect on 17 January 2025 and is specifically designed to strengthen the digital operational resilience of the financial sector. DORA covers banks, insurance companies, investment firms, payment service providers, crypto-asset service providers, and their critical ICT third-party service providers.

DORA establishes five pillars of digital resilience: ICT risk management, ICT incident classification and reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. Financial entities must maintain and test comprehensive ICT risk management frameworks, report major ICT-related incidents to their financial supervisor, and conduct regular resilience tests — with significant entities required to perform threat-led penetration testing (TLPT) every three years.

A distinctive feature of DORA is its focus on supply chain and third-party risk. Financial entities must manage and monitor their critical ICT providers, which in turn are subject to direct oversight by European Supervisory Authorities (ESAs). Organizations with an existing ISO 27001 ISMS have a solid foundation for DORA compliance, though DORA's requirements — particularly on resilience testing and third-party management — go beyond what ISO 27001 alone covers.

Legal Basis

EU Regulation 2022/2554 (DORA); RTS/ITS issued by EBA, EIOPA, and ESMA under DORA

Practical Example

A German investment firm must comply with DORA from January 2025. It conducts a gap analysis against DORA's five pillars, discovering that its ICT incident classification process and third-party risk register need significant updates. The firm creates a DORA compliance project: updating its ICT risk management framework, establishing a formal incident reporting workflow to BaFin, registering all critical ICT providers in a register of information, and commissioning its first digital operational resilience test. The compliance programme is overseen directly by the management board as required by DORA.

FAQ

DORA applies to a wide range of financial entities regulated in the EU, including banks, insurers, investment firms, payment institutions, e-money institutions, crypto-asset service providers, and central securities depositories. ICT third-party providers that are designated as "critical" by the European Supervisory Authorities are also directly subject to DORA oversight.
NIS 2 and DORA both address cybersecurity and incident reporting, but DORA applies the lex specialis principle for the financial sector: financial entities subject to DORA comply with DORA's incident reporting requirements rather than NIS 2's, where the requirements overlap. However, the two frameworks are complementary and an organization may need to consider both.
ISO 27001 provides a strong foundation for DORA compliance, particularly for ICT risk management. However, DORA goes further in several areas — especially resilience testing (including TLPT), detailed incident reporting timelines, and direct oversight of critical ICT third-party providers. ISO 27001 alone is therefore not sufficient to demonstrate full DORA compliance.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

NIS 2 Directive ISMS (Information Security Management System) Risk Assessment Business Continuity Management (BCM) Compliance Management System (CMS)
Back to Glossary